commit e98c6d2b38114e0819a558ef5e0d2793a30eebff
author Jiakai Zhang <jiakaiz@google.com> Wed Mar 27 13:16:27 2024 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Mar 27 13:16:27 2024 +0000
tree afe84410bf807da8a63a772bc63406300fc8c15f
parent b584704c28270b6e859be225b1779059a7adef5a
parent 4acd07323ee401fcb03e3c4d9d58bfada64ea9de

Merge "Update SELinux policy for Pre-reboot Dexopt." into main

private/aconfigd.te

diff --git a/private/aconfigd.te b/private/aconfigd.te
index 0e2a7ae..60559fc 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -28,16 +28,12 @@
 # allow aconfigd to access shell_data_file for atest
 userdebug_or_eng(`
     allow aconfigd shell_data_file:dir search;
-    allow aconfigd shell_data_file:file { getattr read open };
+    allow aconfigd shell_data_file:file { getattr read open map };
 ')
 
 # allow aconfigd to log to the kernel.
 allow aconfigd kmsg_device:chr_file w_file_perms;
 
-# allow aconfigd to read system/system_ext/product partition storage files
-allow aconfigd system_aconfig_storage_file:file r_file_perms;
-allow aconfigd system_aconfig_storage_file:dir r_dir_perms;
-
 # allow aconfigd to read vendor partition storage files
 allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
 allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index fd1d9fd..b9e11f0 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -209,12 +209,12 @@
   -hal_omx_server
 } {shell_exec toolbox_exec}:file rx_file_perms;
 
-# Allow everyone to read from flag value boot snapshot files and general pb files
+# Allow all (except vendor) to read from flag value boot snapshot files and general pb files
 # The boot copy of the flag value files serves flag read traffic for all processes, thus
 # needs to be readable by everybody. Also, the metadata directory will contain pb file
 # that records where flag storage files are, so also needs to be readable by everbody.
-allow domain aconfig_storage_metadata_file:file r_file_perms;
-allow domain aconfig_storage_metadata_file:dir r_dir_perms;
+r_dir_file({ coredomain appdomain }, aconfig_storage_metadata_file);
+r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
 
 # processes needs to access storage file stored at /metadata/aconfig/boot, require search
 # permission on /metadata dir

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 163f75e..474316d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -767,6 +767,7 @@
 ro.lmk.thrashing_limit          u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.thrashing_limit_decay    u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.direct_reclaim_threshold_ms u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.use_minfree_levels       u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.use_new_strategy         u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.use_psi                  u:object_r:lmkd_config_prop:s0 exact bool

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 20511cb..7306773 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1014,6 +1014,7 @@
 	change_user
 	clear_ns
 	clear_uid
+	delete_all_keys
 	get_last_auth_time
 	lock
 	pull_metrics